Security priorities shifting to preventing breaches, improving internal controls

For the first time, companies are worried more about preventing a breach than on passing a compliance audit

cyber threat

For the first time, companies are worried more about preventing a breach than on passing a compliance audit -- and are spending the money to prove it, according to a new global survey of IT and business managers.

In fact, compliance was in fifth place as a driver of security spending, after preventing a breach, protecting intellectual property, protecting finances and other assets, and meeting customer requirements.

One reason could be the series of high-profile breaches that have hit the news over the last twelve months. In the U.S., for example, 22 percent of companies said that they had experienced a data breach -- and 34 percent were looking to upgrade security directly because of seeing data breaches cause damage to competitors.

And the damage wasn't just in the form of legal costs and regulatory fines. Although 39 percent of respondents ranked them as a high priority, reputation and brand protection ranked the highest, at 47 percent.

"For the first time, reputation and brand were more important than compliance," said Sol Cates, CSO of Vormetric, Inc., a San Jose-based data security company and the sponsor of the report. "It was a shift."

Another shift is the move from protecting the perimeter to building more internal controls as well.

"The shift is towards internal controls, closer to the data, the information itself, such as encryption and access controls," said Cates.

According to the global survey, 56 percent of respondents plan to increase security spending designed to deal with insider threats, ahead of network defenses at 52 percent and endpoint device protection at 50 percent.

That leaves 44 percent leaving their spending where it is now, or decreasing it. That could be a mistake, Cates said.

"Enterprises are really trying to handle a staggering amount of data and variety of data, cloud, big data, internal applications, and so forth," he said. "It's interesting that some are staying the same or decreasing considering that the volume of data is growing."

Plus, 89 percent of respondents said that their organization was more at risk from an insider attack than it was before.

The survey also highlighted another area of disconnect.

According to respondents, the top locations where data was at risk in significant volumes were databases at 49 percent, file servers at 39 percent, and cloud environments at 36 percent.

By comparison, only 20 percent of sensitive company data shows up on mobile devices and, of that, mostly on company-owned and protected equipment -- but 70 percent of IT decision makers were worried about mobile device protection.

Ovum, the London-based research firm that analysed the survey data for the report, recommended that companies rethink their spending priorities.

"Better results would be achieved by targeting the available funds on risk-based strategies to deal with the protection of sensitive data, monitoring and reporting on usage, and controlling user access," wrote Ovum analyst Andrew Kellett.

The survey itself was conducted on Harris Poll in the fall of 2014.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)